Digital Certificates Chaos Could Cost Companies $398 Million

More than half of organizations don't know where their encryption keys and digital certificates are deployed, how they are being used and who is using them. Nor do they have an accurate inventory of their keys and certificates. This makes them vulnerable to attacks that target trust instruments.

Trust. It is the basis of all digital transactions. We trust that our inventory systems are providing the correct information, that the documents we're reading have not been altered, that the entity on the other side of a financial transaction is our bank.

But outside of the security function, the mechanisms of trust in the digital world—the mechanisms that every business and government agency rely on to ensure that communications and transactions conducted across the Internet and within closed networks remain trusted, private and compliant with regulations—are not readily understood. That makes them vulnerable, and criminals are increasingly beginning to prey on that trust.

Imagine, for instance, a criminal exploiting a digital certificate for a printer in the executive suite, giving the bad guys the capability to read every document as it's printed.

"Those executives might not want to put sensitive documents in email because they feel email is too insecure, but they might as well just email it directly to the people who want to manipulate the stock price," Hudson says. "Nobody's looking. The criminals will figure out how to get into the stream."

Attacks on Trust Will Cost Enterprises Average of $35 Million

According to a new study by Ponemon Institute, underwritten by Venafi, Global 2000 organizations are projected to lose an average of $35 million over the next 24 months due to attacks on trust. Larry Ponemon, chairman and founder of Ponemon Institute Research, says that estimate is based on a total possible cost exposure of $398 million per organization.

"In partnering with Venafi, we set out to answer for the first time one of the most sought after questions in information security and compliance: What are the precise financial consequences of failed trust from malicious attacks that exploit cryptographic key and certificate management failures?" Ponemon says.

"We rely on keys and certificates to provide the bedrock of trust for all business and government activities, online and in the cloud. Yet criminals are turning our dependence on these trust instruments against us at an alarming rate," Ponemon says.

"This new research not only allows us to quantify the cost of these trust exploits, but also gives insight into how enterprise failures in key and certificate management open the door to criminals," Ponemon adds.

"More than half of the companies surveyed, for instance, do not know how many keys and certificates they have, which is both a serious security issue and Governance, Risk and Compliance (GRC) gap that executives must address with proper controls," Ponemon says.

"It's not surprising then that all companies we spoke with had suffered an attack on trust due to failed key and certificate management, or that these attacks are projected to cost organizations an average of $35 million, with a maximum possible cost exposure of $398 million per organization, according to Ponemon. This level of risk and exposure demands remediation."

Ponemon Institute surveyed 2,342 respondents from within the Global 2000 in Australia, France, Germany, the U.K. and U.S. The respondents represented 16 unique vertical industries, the top five of which were these: financial services, public sector, consumer products, services (including audit and consulting) and education and research.

"The empirical question was: If an organization experiences a meltdown involving their encryption key or certificate management, what would happen?" Ponemon explains. "We attempted to extrapolate a maximum cost per exposure."

Ponemon had respondents evaluate four cost categories for each type of attack:

Incidence reponse

Lost productivity

Revenue loss

Brand and reputation damage

"Using this methodology, what we were able to do was estimate and extrapolate the costs of the different scenarios," Ponemon explains. "Each of the scenarios we used were based on real-life events."

All Respondents Had Suffered at Least One Attack

All of the enterprises surveyed had suffered at least one attack on trust due to failed key and certificate management. Easily preventable exploits of weak cryptography turned out to be both the most likely and the most costly, averaging $125 million per incident, per organization.

Attacks on trusted certificate authorities (CAs), which issue and validate digital certificates, can lead to man-in-the-middle and phishing attacks on enterprises, with costs averaging $73 million per incident, per organization.

Ponemon notes that the high cost makes sense given that attacks on cryptographic keys and certificates are difficult to detect and also target the most critical IT and business processes. He notes that the numbers are in line with the results of other major breaches, like the 2006 breach of TJX Companies, the owner of T.J. Maxx and other stores. In that instance, hackers accessed a system that stored information on customer credit card, debit card, check and merchandise return transactions. The breach affected 45.7 million customers and cost TJX at least $256 million.

"The Internet really relies on a mechanism of trust," Hudson says. "What trusts what and why does it trust it? This is not a well-understood area. Even at the CISO and CIO level, when we ask them 'where are your SSL certificates?' they don't really know. But it's fundamental to the way this whole thing works."

"This is also the first time when CEOs and other C-level executives in large corporates don't really have a clue how things work," Hudson adds. "It used to be they knew they could trust what was in their inventory because they could say, 'we've got armed guards, locked doors and keys, dogs, etc.' But when we move into this era of the Internet, they just don't know. They don't know how this machine knows it can trust that machine. And the bad guys have figured that out. What a bad guy will always do is go after you when you're not looking."

Organizations Don't Know How Many Keys, Certificates They Have

Much of the problem, Ponemon and Hudson agree, comes down to the fact that organizations simply do not know how many cryptographic keys and certificates exist in their infrastructure. The survey found that 61 percent of U.K. organizations don't know exactly how many keys and certificates they have deployed.

The same is true of 59 percent of Global 2000 organizations in France, 54 percent in the U.S., 47 percent in Australia and 34 percent in Germany. And that inability to discover where keys and certificates are deployed, how they are being used and who is using them essentially means that an enterprise has lost its control over trust, Ponemon says.

The problem may also be even worse than the above numbers imply. Ponemon found that respondents, on average, estimated they had 17,807 keys and certificates each. But Hudson notes that organizations invariably have far more than they estimate.

"When we go into a Global 2000, on average, when we're done they have discovered five times more of these instruments than they thought they had," Hudson says.

"The scale of the problem means it's not a human problem anymore," Ponemon adds. "You really need to have the right tools in place to manage it."

Compromised SSH Keys Most Alarming Threat

Perhaps most alarming, and identified as the biggest threat by respondents working in the security trenches, is the possibility of SSH key theft and compromise, which has an average potential exposure cost of $75 million.

While not well-known outside the domain of the system administrator, SSH is used extensively to establish secure connections between computers and provides root access to systems. As organizations adopt cloud computing, SSH keys become an even more tempting target, as SSH is used to maintain control and ownership of cloud systems like Amazon Web Services and Microsoft Azure.

SSH has been infrequently audited in the past, despite the fact that criminals who obtain keys used by a trusted administrator or system could compromise all connected systems and data, even if it's encrypted.

"The journey to regaining control over trust will require bringing together process, policy, people and technology," Ponemon says. "Best practices, such as those from NIST on preparing and responding to CA compromises and on managing the key management lifecycle, are valuable. Guidance from regulators, such as the U.K. Information Commissioner's Office (ICO) on cloud computing and data privacy, also provide valuable frameworks for maintaining control over trust in the current and emerging age of computing."